INFORMATION ON THE PROCESSING OF PERSONAL DATA BY THE CONTROLLER FOR MARKETING
PURPOSES

provided according to Regulation (EU) 2016/679 of the European Parliament and of the Council on
the protection of natural persons in the processing of personal data and on the free movement of
such data, repealing Directive 95/46/EC (General Data Protection Regulation), in effect from
25.05.2018 (hereinafter referred to as “GDPR Regulation”) and according to Act No. 18/2018 Coll. on
the Protection of Personal Data and on Amendments to Certain Acts, as amended on 25.05.2018
(hereinafter also referred to as “Act on Personal Data Protection”).

All personal data are processed in accordance with the GDPR Regulation with effect from
25.05.2018.

I hereby acknowledge that the website controlled on behalf of Klingerka, s.r.o., with its
registered office at Dvořákovo nábrežie 10, 811 02 Bratislava, ID: 50 944 045, registered in: The
Commercial Register of the Bratislava I District Court, Section: Sro, File No. 120458/B (hereinafter
also referred to as “KLINGERKA”) is not directly intended for people who cannot authorize the
Controller to process their personal data themselves.

A. Who we are

KLINGERKA is a company, which maintains the Klingerka office project.

For marketing and analytical purposes, KLINGERKA processes personal data related to you to the following extent:

1) name and surname;
2) email address;
3) telephone number;

(the data referred to in Points 1) to 3) above hereinafter collectively referred to as also “Personal
Data”).

B. Information on the processing of Personal Data on behalf of KLINGERKA according to the GDPR Regulation and the Personal Data Protection Act

1. Identification and contact details of the Controller

The Controller, on behalf of which the Personal Data is processed, is KLINGERKA, with its registered
office at Dvořákovo nábrežie 10, 811 02 Bratislava, ID:50 944 045, registered in: Commercial Register
of the Bratislava I District Court, Section: Sro, File No.: 120458/B.

2. The purposes of processing Personal Data and the legal basis for the processing of Personal Data

KLINGERKA, as the Controller, processes Personal Data to the extent that it was provided by you as
the Data Subject for the following purposes:

(i) the purpose of direct marketing, to inform clients, as the Data Subject, about news on the Project and addressing clients with other marketing offers of the Controller, of the KLINGERKA, through direct mail, direct offers, or another suitable form. The legal basis for the processing of Personal Data is the authorized interest of KLINGERKA (Article 6, Paragraph 1, Letter f) of the GDPR) or consent if the client provides an email address and declares consent to the processing of his/her Personal Data for the purpose of sending business and marketing information from KLINGERKA as the Controller (Article 6, Paragraph 1, Letter a) of the GDPR);
(ii) the purpose of fulfilling the obligations of KLINGERKA, as the Controller, according to applicable legislation, e.g. tax obligations or obligations related to consumer protection in the internal market. The legal basis for the processing of Personal Data is the fulfillment of legal obligations (Article 6, Paragraph 1, Letter c) of the GDPR);
(iii) statistical purposes, for the purpose of combining Personal Data with other client data for the purpose of creating reports that help improve the service of KLINGERKA, as the Controller, while maintaining technical and organizational measures to ensure compliance with the principle of data minimization. The legal basis for the processing of Personal Data is thus compatible with the further processing of Personal Data (Article 5, Paragraph 1, Letter b) together with Article 89 1 of the GDPR);
(iv) the purpose of keeping a record of the requests of Data Subjects and their handling by the Controller, KLINGERKA. The legal basis for the processing of Personal Data is the authorized interest of KLINGERKA (Article 6, Paragraph 1, Letter f) of the GDPR).

3. Categories of Data Subjects

KLINGERKA, as the Controller, processes Personal Data for purposes of direct marketing related to
clients, as the Data Subjects, for which KLINGERKA records that they have expressed interest in the Project.

4. Authorized Interests Pursued by KLINGERKA as the Controller

KLINGERKA sees an authorized interest in the possibility of acquainting clients in the future with
suitable offers related to the Project. The legal basis for the processing of Personal Data on behalf
of KLINGERKA for the purpose of direct marketing is an authorized interest of KLINGERKA according
to the relevant article of the GDPR and the relevant provisions of the Personal Data Protection Act,
on the condition that in the case of such interests on the part of KLINGERKA they do not outweigh
the interests or basic rights and freedoms of the Data Subject that require the protection of personal
data.

If you are not interested in receiving news and up-to-date information on promotional offers
related to the Projects as the Data Subject, you may, at any time and free-of-charge, exercise the
right to object due to reasons related to your concrete situation, to the processing of Personal Data
for the purpose of direct marketing by KLINGERKA, as the Controller, mainly in the following ways:

a) by clicking on the relevant link found in each newsletter at any time and free-of-charge;
b) through email: amslsp-re@slsp.sk; or
c) by post to the registered office of KLINGERKA, at the following address: Dvořákovo nábrežie 10, 811 02Bratislava.

If you object to the processing of Personal Data for the purpose of direct marketing, KLINGERKA
will not further process your Personal Data, and you will not receive any news from KLINGERKA.
In handling the requests of the Data Subject, KLINGERKA sees its authorized interest in the possibility
of demonstrating compliance of the procedures with the requirements of the GDPR.

5. Guidance on the Voluntariness or Obligation to Grant Consent to the Processing of Personal Data

If the Data Subject is interested in the Controller, KLINGERKA, sending news and marketing
information, the Data Subject is obliged to provide at least its email address to KLINGERKA and to
grant consent to the processing of his/her Personal Data for the purposes of direct marketing,
otherwise it is not possible to subscribe to the news and marketing information sent by KLINGERKA.

6. Recipients or Categories of Recipients of the Personal Data

It is expected that the Personal Data processed on behalf of KLINGERKA, as the Controller, will be
provided to the following recipients for the purpose of direct marketing:

i. J & T REAL ESTATE, a.s., with its registered office on Dvořákovo nábrežie 4, 811 02 Bratislava, ID: 35 712 155, registered in: The Commercial Register of the Bratislava I District Court, Section: Sa, File No. 1352/B;
ii. Touch4IT s.r.o., with its registered office at Hany Meličkovej 5, 841 05 Bratislava, ID: 48 024 066, registered in: The Commercial Register of the Bratislava I District Court, Section: Sro, File No.: 102430/B (hereinafter referred to as “Touch4IT s.r.o.”);
iii. MailChimp c/o The Rocket Science Group, LLC, with its registered office at 675 Ponce De Leon AVE NE, Suite 5000, Atlanta, GA 30308 USA, MOSS No. EU 826 477 914 (hereinafter referred to as “MailChimp”);
iv. Skorpio group, s.r.o, with its registered office on Banšelova 24; 821 04 Bratislava, registered in: The Commercial Register of the Bratislava I District Court, Section: Sro, File No.: 128455/B
v. Asset Management Slovenskej sporiteľne, správ. spol. a.s.., with its registered office at Tomašikova 48, 832 65 Bratislava, ID: 35 820 705, registered in: The Commercial Register of the Bratislava I District Court, Section: Sa, File No.: 2814/B

7. The Transfer of Personal Data to a Third Country

MailChimp will transfer the Personal Data to third countries, to the United States of America.
MailChimp has its own certification due to the maintenance of security rules related to personal data
protection for EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield transactions and legally transfers
EU/EEA personal data to the United States of America in accordance with Privacy Shield certification.
Every year, MailChimp also completes a SOC II Type 2 exam in the Core Criteria for ensuring Trust,
Integrity in Processing, Confidentiality, and Availability.

The transfer of personal data to a third country or to an international organization may occur if the
Commission decides that a third country, territory or several designated sectors in that third country
or the given international organization guarantees an adequate level of protection. No special
permission is necessary for such a transfer (Article 45, Paragraph 1 of the GDPR);

From the information available at the Personal Data Protection Office of the Slovak Republic, companies certified under the Privacy Shield regimen with a registered office in the United
States of America belongs among entities the European Commission has included in the relevant
decision in the list of third-country entities that guarantee an adequate level of protection of
personal data according to the GDPR.

The Decision of the Commission on the adequate protection of personal data, including the list of
countries, can be found on the following Internet link: http://ec.europa.eu/justice/data-
protection/international-transfers/adequacy/index_en.htm.

8. The Retention Period of Personal Data, or the Criteria for Determining the Processing Period of Personal Data

Personal data will be processed until the period when the purpose of processing the Personal Data
for which it was obtained expires, however, at the latest until the legal basis for the processing of
Personal Data according to the GDPR and the Act on Personal Data Protection is in force.

9. Information Related to Automated Individual Decision-Making

KLINGERKA, as the Controller, does not use any of the automated individual decision-making or
profiling procedures in the processing of Personal Data on behalf of KLINGERKA.

10. Information on Other Rights of Clients, as the Data Subjects, in Accordance with Valid and Effective Legislation and Information on the Procedures for Exercising the Rights of Clients, as the Data Subject, According to the Provisions of the Personal Data Protection Act

On the condition of compliance with the valid and effective legal regulations governing personal data
protection according to the GDPR and according to the Act on Personal Data Protection, as the Data
Subject you have the following rights:

The Right to Request Access to the Personal Data Related to Him/Her from the Controller,
according to Article 15 of the GDPR:

The Data Subject has the right to obtain from KLINGERKA, as the Controller, confirmation of
the processing of the personal data related to him/her and, if so, he/she has the right to access
such personal data and the following information:

a) processing purposes;
b) the data category of the data subject;
c) the recipients or the categories of recipients to whom the personal data have been or will be provided, mainly recipients in third countries or international organizations;
d) when possible, for the expected retention period of the personal data or, if that is not possible, the criteria for its determination;
e) the existence of the right to require the Controller to correct personal data relating to the Data Subject or delete or restrict the processing or to oppose such processing;
f) the right to file a grievance with a supervisory authority;
g) if personal data have not been obtained from the Data Subject, any available information concerning their source;
h) the existence of automated decision-making, including the profiling specified in Article 22, Paragraph 1 and 4 of the GDPR and, in such cases, at least meaningful information on the used procedure, as well as the significance and foreseeable results of such processing for the Data Subject. If personal data are transferred to a third country or international organization, the Data Subject shall have the right to be informed of reasonable guarantees regarding the transfer according to Article 46 of the GDPR.

KLINGERKA, as the Controller, will provide a copy of the personal data being processed. For
any further copies requested by the Data Subject, the Controller may charge a reasonable fee
corresponding to the administrative cost. If the Data Subject has made the request through
electronic means, the information shall be provided in a commonly used electronic form,
unless the Data Subject has requested a different method. The right to obtain a copy must not
result in an adverse effect on the rights and freedoms of others.

Right to the Rectification of Personal Data according to Article 16 of the GDPR:

The Data Subject has the right so that KLINGERKA, as the Controller, corrects incorrect
personal data relating to him/her without undue delay. With regard to processing purposes,
the Data Subject is entitled to supplement incomplete personal data, also through the
provision of a supplementary statement.

Right of Deletion (Right to “Obscurity”) according to Article 17 of the GDPR:

The Data Subject also has the right to obtain from KLINGERKA, as the Controller, the deletion
of the personal data concerning him/her without undue delay and KLINGERKA, as the
Controller, is obliged to delete personal data without undue delay if any of the following
reasons are met:

a) personal data are no longer needed for the purposes for which they were obtained or otherwise processed;
b) the Data Subject revokes the consent under which the processing is performed in accordance with Article 6, Paragraph 1, Letter a) or Article 9, Paragraph 2, Letter a) of the GDPR, and when there exists no other legal basis for processing;
c) the Data Subject objects to the processing according to Article 21, Paragraph 1) of the GDPR and do not preclude any authorized reason for processing, or the Data Subject objects to the processing according to Article 21, Paragraph 2 of the GDPR);
d) the personal data was unlawfully processed;
e) the personal data must be deleted in order to meet a legal obligation according to the law of the Union or the law of the Member State to which the Controller is subject;
f) the personal data were obtained in connection with the provision of information society services according to to Article 8, Paragraph 1 of the GDPR);

If the Controller discloses personal data and is obliged to delete personal data, taking into
consideration available technology and the cost of implementing the measures, it shall take
reasonable measures, including technical measures, to inform the Controllers who process the
personal data that the Data Subject is requesting them to delete all references to such
personal data, along with their copies or replicas.

The right of deletion does not apply if processing is necessary:

a) for the exercising of the right to freedom of expression and information;
b) for meeting a legal obligation requiring processing according to Union law or the law of the Member State to which the Controller is subject, or in order to meet a task implemented in the public interest or in the exercising of public authority entrusted to the Controller;
c) due to public interest in the field of public health, in accordance with Article 9, Paragraph 2, Letter h) and i) and Article 9, Paragraph 3 of the GDPR);
d) for the purpose of archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes according to Article 89, Paragraph 1 of the GDPR, unless it is probable that the above-mentioned law will seriously disallow or severely impair the reaching of the objectives of such processing, or
e) to prove, enforce or defend legal claims.

The Right to Restrict Processing according to Article 18 of the GDPR:

The Data Subject has the right to restrict the processing by the Controller for one of the
following cases:

a) the Data Subject asserts the accuracy of the personal data during a period allowing the Controller to verify the accuracy of the personal data;
b) the processing is unlawful and the Data Subject objects to the deletion of personal data and requests restrictions on their usage instead;
c) the Controller no longer needs personal data for processing but needs the Data Subject for the proving, application or defense of legal claims;
d) the Data Subject objected to the processing according to Article 21, Paragraph 1 of the GDPR, until verification whether authorized reasons on the part of the Controller outweigh the authorized reasons of the Data Subject.

If the processing in accordance with the above-mentioned restriction has been restricted, such
personal data shall, with the exception of retention, be processed only with the consent of the
Data Subject or for the purpose of proving, applying or defending legal claims or for the
protection of the rights of another natural person or legal entity or for reasons of significant
public interest for the Union or a Member State.

A Data Subject who has attained a restriction in processing in accordance with the above-
mentioned is informed by the Controller before the processing restriction is revoked.

The Right to Data Portability according to Article 20 of the GDPR:

The Data Subject has the right to obtain personal data relating to him/her and which he/she
has provided to the Controller in a structured, commonly used and machine-readable format
and has the right to transfer this data to another Controller without the provider to whom the
personal was provided preventing the transfer, if: a) the processing is based on the consent
referred to in Article 6, Paragraph 1, Letter a) or Article 9, Paragraph Article 2, Letter a) of the
GDPR or the contract referred to in Article 6, Paragraph 1, Letter b) of the GDPR, and b) where
the processing is performed through automated means.

In the exercising of his/her right to data portability, the Data Subject has the right to transfer
personal data directly from one Controller to another Controller, as much as technically
possible.

The application of the law does not affect Article 17 of the GDPR. This right does not apply to
the processing necessary to meeting a task performed in the public interest or in the exercise
of public authority entrusted to the Controller. The right to data portability must not have an
adverse effect on the rights and freedoms of others.

The Right to Object to Processing, Including Objection to Profiling (If Performed) according to
Article 21 of the GDPR:

The Data Subject shall have the right at any time to object, for reasons relating to his or her
concrete situation against the processing of personal data concerning him/her, which is
performed pursuant to Article 6, Paragraph 1, Letter e) or f) of the GDPR, including objection
to profiling, based on the above-mentioned provisions. The Controller may not further process
personal data unless it demonstrates the necessary authorized reasons for processing, which
outweigh the interests, rights and freedoms of the Data Subject or reasons for proving,
applying or defending legal claims. If the personal data are processed for the purposes of
direct marketing, the Data Subject has the right at any time to object to the processing of
personal data relating to him/her for the purposes of such marketing, including profiling in the
range related to such direct marketing. If the Data Subject opposes the processing for
purposes of direct marketing, the personal data may no longer be processed for such
purposes.

In relation to the use of information society services and regardless of Directive 2002/58/EC,
the Data Subject may exercise his/her right to object to automated means by use of technical
specifications. If the personal data are processed for purposes of scientific or historical
research or for statistical purposes according to Article 89, Paragraph 1 of the GDPR, the Data
Subject has the right to object, for reasons related to his/her concrete situation, to the
processing of personal data concerning him/her, except in cases when processing is necessary
for meeting a task due to public interest.

The Right to File a Grievance to the Supervisory Authority Pursuant to Article 77 of the GDPR:

The supervisory authority to which the Data Subject addresses his/her complaint in justified
cases shall be understood as the Office for the Protection of Personal Data of the Slovak
Republic, with its registered office at Hraničná 12, 820 07 Bratislava 27.

The Right to Revoke Consent to Processing according to Article 7 of the GDPR:

In case the legal basis for the processing of personal data is the consent of the Data Subject,
the Data Subject may at any time revoke his/her consent without impacting the lawfulness of
the processing based on the consent granted prior to its revoking.

The right to revoke consent at any time, even before the expiration of the period for which it
was granted, may be exercised by the Data Subject mainly through the following ways:

a) by clicking on the relevant link found in each newsletter at any time and free-of-charge;
b) through e-mail: amslsp-re@slsp.sk; or
c) by post to the registered office of KLINGERKA, at the following address: Dvořákovo nábrežie 10, 811 02 Bratislava.

KLINGERKA is obliged to take appropriate measures and provide information to the Data
Subject according to Section 19 and 20 of the Personal Data Protection Act and notifications
according to Sections 21 to 28 and 41 of the Personal Data Protection Act concerning the
processing of his/her personal data, in a concise, transparent, comprehensible and easily
accessible form, clearly worded, mainly for information intended specifically for a child.

KLINGERKA is obliged to provide information paper or electronic form, regularly in the same
format as the sent request. If requested by the Data Subject, KLINGERKA may also provide
orally information if the Data Subject can prove his/her identity through another method.

KLINGERKA provides assistance to the Data Subject in exercising his/her rights according to
Sections 21 to 28 of the Personal Data Protection Act. In the cases specified in Section 18,
Paragraph 2 KLINGERKA, as the Controller , cannot refuse to act on the basis of the request of
a Data Subject in the exercising of his/her rights according Sections 21 to 28 of the Personal
Data Protection Act, unless it proves that it is not able to identify the Data Subject.

KLINGERKA is obliged to provide the Data Subject with information on the measures that were
taken at his/her request according to Sections 21 to 28 of the Personal Data Protection Act
within one month of receiving the request from the Data Subject. In justified cases the above-
mentioned period can be extended by KLINGERKA for another two months, with regard to the
complexity and the number of applications, also if repeated. However, KLINGERKA is obliged
to inform the Data Subject of any such extension within one month of receiving the request
along with the reasons for the extension of the period. If the Data Subject has sent in a
request in electronic form, KLINGERKA will provide the information in electronic form if the
Data Subject did not request that the information be provided through another method.

If KLINGERKA fails to carry out measures at the request of the Data Subject, it shall, within one
month from receiving the request, inform the Data Subject of the reasons for the failure to
take measures and the possibility of filing a proposal according toSection 100 of the Personal
Data Protection Act at the Office for the Protection of Personal Data of the Slovak Republic,
with its registered office at Hraničná 12, 820 07 Bratislava 27.

Information according to Sections 19 and 20 of the Personal Data Protection Act and the
notifications and measures taken according to Sections 21 to 28 and 41 of the Personal DataProtection Act are provided free-of-charge. If the request of the Data Subject is manifestly
unfounded or inappropriate mainly due to its recurring nature, KLINGERKA may:

a) require a reasonable fee, considering the administrative costs of providing information or a reasonable fee considering the administrative costs of communication or a reasonable fee considering the administrative costs of implementing the requested measure; or
b) refuse to act on the basis of the request.

KLINGERKA shall prove the irrelevance or inappropriateness of the request.

KLINGERKA may request the provision of additional information necessary to verify the
identity of the Data Subject if it has reasonable doubts as to the identity of the natural person
who submitted the request according to Section 21 to 27 of the Personal Data Protection Act;
laid down bySection 18 of the Personal Data Protection Act.

In case of any questions, you can contact KLINGERKA at any time through the contact form
specified and found on the website.
Besides our contact form, you can also contact us at any time through the phone line, at +421 2
5941 8200, through e-mail amslsp-re@slsp.sk or through post, at the address of KLINGERKA,
at the following address: Dvořákovo nábrežie 10, 811 02 Bratislava.

INFORMATION ON THE PROCESSING OF PERSONAL DATA BY THE CONTROLLER FOR MARKETING PURPOSES